Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Thomas Deutschmann <whissi@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
Date: Tue, 22 Dec 2020 22:44:54
Message-Id: 1608677046.36f38e537df50b879d2fe851801e104989b482a7.whissi@gentoo
1 commit: 36f38e537df50b879d2fe851801e104989b482a7
2 Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
3 AuthorDate: Tue Dec 22 22:44:06 2020 +0000
4 Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
5 CommitDate: Tue Dec 22 22:44:06 2020 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=36f38e53
7
8 dev-libs/openssl: security cleanup (bug #759079)
9
10 Package-Manager: Portage-3.0.12, Repoman-3.0.2
11 Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>
12
13 dev-libs/openssl/Manifest | 5 -
14 .../files/openssl-1.1.0k-fix-test_fuzz.patch | 19 --
15 .../openssl-1.1.0l-fix-no-ec2m-in-ec_curve.c.patch | 30 --
16 dev-libs/openssl/openssl-1.1.0l.ebuild | 306 -------------------
17 dev-libs/openssl/openssl-1.1.1g.ebuild | 324 ---------------------
18 dev-libs/openssl/openssl-1.1.1h.ebuild | 324 ---------------------
19 6 files changed, 1008 deletions(-)
20
21 diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
22 index 49b73ef3c56..a7dabaf27ae 100644
23 --- a/dev-libs/openssl/Manifest
24 +++ b/dev-libs/openssl/Manifest
25 @@ -1,10 +1,5 @@
26 DIST openssl-1.0.2-patches-1.5.tar.xz 12404 BLAKE2B 6c1b8c28f339f539b2ab8643379502a24cf62bffde00041dce54d5dd9e8d2620b181362ee5464b0ab32ba4948e209697bfabadbea2944a409a1009100d298f24 SHA512 5725e2d9d1ee8cc074bcef3bed61c71bdab2ff1c114362110c3fb8da11ad5bc8f2ff28e90a293f5f3a5cf96ecda54dffdb7ab3fb3f8b23ef6472250dc3037659
27 DIST openssl-1.0.2t-bindist-1.0.tar.xz 13872 BLAKE2B b2aade96a6e0ca6209a39e205b1c838de945903fcf959c62cc29ddcd1a0cb360fc5db234df86860a6a4c096f5ecc237611e4c2946b986a5500c24ba93c208ef4 SHA512 a48a7efb9b973b865bcc5009d450b428ed6b4b95e4cefe70c51056e47392c8a7bec58215168d8b07712419dc74646c2bd2fd23bcfbba2031376e292249a6b1b6
28 DIST openssl-1.0.2u.tar.gz 5355412 BLAKE2B b2ff2a10e5851af5aca4093422a9a072c794e87b997263826c1c35910c040f695fac63decac5856cb49399ed03d410f97701d9fd4e1ebfbcacd8f3a74ce8bf57 SHA512 c455bb309e20e2c2d47fdc5619c734d107d5c8c38c1409903ce979acc120b0d5fa0312917c0aa0d630e402d092a703d4249643f36078e8528a3cafc9dac6ab32
29 -DIST openssl-1.1.0l-bindist-1.0.tar.xz 13184 BLAKE2B c09e023458faff17b10d6f20c28462c0851757a20d59b4b751220ab307324d5778252df112ad74fd319407cc75fdd1cd507d48058dd0234dc8c03020c882ed42 SHA512 39720ecee3ec6080c1416f2fb7c9246b89ee55b21be2baabad51eb6823dbe1559450b1ae92fa61ac1cf5ba04ac8c02438aa469bc65eae6905cf1ea486f270793
30 -DIST openssl-1.1.0l.tar.gz 5294857 BLAKE2B 0e4f30f9e8a22414325bd780dc4e875e962487fbe72967f0392ace959955429192541881a98d097d7bb75ed7238b1817b0c3c2c4da04421512bd538f2b07cdd7 SHA512 81b74149f40ea7d9f7e235820a4f977844653ad1e2b302e65e712c12193f47542fe7e3385fd1e25e3dd074e4e6d04199836cbc492656f5a7692edab5e234f4ad
31 -DIST openssl-1.1.1e-bindist-1.0.tar.xz 16948 BLAKE2B 78e034f1d263cbf5e57c92393f72acd07e86e39a5511a8852bad151371430954e07d787fd82cca55b373d1579bb22b9d29c9d677104ed68291a9d2dffe3ffbbb SHA512 0dbfb378b8f2724db82915e17fd4e43977e3e45030db25cdb9241c0ab842e41ef3d597ef71c4db5103635752dc2059ea6022597511a440f55fb56a5a52d3ccea
32 -DIST openssl-1.1.1g.tar.gz 9801502 BLAKE2B 5e3dd4725ff89b959a5436d64b521317c6ffeb377418cc24c6d1927fab923423cb5f5fce2f9c2cdee597041c7be156d09668a5fd13dc6ff06d235a83db94cf19 SHA512 01e3d0b1bceeed8fb066f542ef5480862001556e0f612e017442330bbd7e5faee228b2de3513d7fc347446b7f217e27de1003dc9d7214d5833b97593f3ec25ab
33 -DIST openssl-1.1.1h.tar.gz 9810045 BLAKE2B ac9ba6fb0c4da0a761e8655b6907634365ddb114216acfcfc981e13c211577b6bd23ea8d2ad0999c0960b039f5d3dead5733e6dc07c5231ab953307a9015cd36 SHA512 da50fd99325841ed7a4367d9251c771ce505a443a73b327d8a46b2c6a7d2ea99e43551a164efc86f8743b22c2bdb0020bf24a9cbd445e9d68868b2dc1d34033a
34 DIST openssl-1.1.1i-bindist-1.0.tar.xz 18124 BLAKE2B bcbce700676d1d61498ac98281b7ad06f9970d91afa6bfb2c259ab7462b2554be79a1c06759bc7aaeca9948c2f5276bac2c4f42dbc6822669f863444b9913ccd SHA512 1dbb81bcb4cf7e634bb363c7e2bb2590a1fe3fcb6c3b5e377cac3c5241abd116c2a89c516be8e5fd1799ab64375a58052a4df944eeadc87b0b7785da710906d8
35 DIST openssl-1.1.1i.tar.gz 9808346 BLAKE2B ca98bab08e1874134da113dd0bda0583c133c7dce5b739f9601641ed2cf97894e5e13d901f0db9367aa5d7b78c552ac598aa0a3c2a3f0a438daae044e29f58d6 SHA512 fe12e0ab9e1688f24dd862ac633d0ab703b499c0f34b53c3560aa0d3879d81d647aa0678ed517dda5efb2711f669fcb1a1e0e24f6eac2efc2cf4eae6b62014d8
36
37 diff --git a/dev-libs/openssl/files/openssl-1.1.0k-fix-test_fuzz.patch b/dev-libs/openssl/files/openssl-1.1.0k-fix-test_fuzz.patch
38 deleted file mode 100644
39 index 2c4cc31257c..00000000000
40 --- a/dev-libs/openssl/files/openssl-1.1.0k-fix-test_fuzz.patch
41 +++ /dev/null
42 @@ -1,19 +0,0 @@
43 -Test fuzz was forgotten when
44 -
45 - Perl: Use our own globbing wrapper rather than File::Glob::glob
46 -
47 -was backported to openssl-1.1.0 branch.
48 -
49 -Link: https://github.com/openssl/openssl/commit/b81cfa07ada850fd287d0a0c82ba280907f18ce7
50 -
51 ---- a/test/recipes/90-test_fuzz.t
52 -+++ b/test/recipes/90-test_fuzz.t
53 -@@ -9,7 +9,7 @@
54 - use strict;
55 - use warnings;
56 -
57 --use if $^O ne "VMS", 'File::Glob' => qw/glob/;
58 -+use OpenSSL::Glob;
59 - use OpenSSL::Test qw/:DEFAULT srctop_file/;
60 - use OpenSSL::Test::Utils;
61 -
62
63 diff --git a/dev-libs/openssl/files/openssl-1.1.0l-fix-no-ec2m-in-ec_curve.c.patch b/dev-libs/openssl/files/openssl-1.1.0l-fix-no-ec2m-in-ec_curve.c.patch
64 deleted file mode 100644
65 index 35a435df28b..00000000000
66 --- a/dev-libs/openssl/files/openssl-1.1.0l-fix-no-ec2m-in-ec_curve.c.patch
67 +++ /dev/null
68 @@ -1,30 +0,0 @@
69 -From bcf6a94c4bc912ad313ea21abdf7e83bbae450e5 Mon Sep 17 00:00:00 2001
70 -From: Nicola Tuveri <nic.tuv@×××××.com>
71 -Date: Thu, 12 Sep 2019 01:57:47 +0300
72 -Subject: [PATCH] Fix no-ec2m in ec_curve.c (1.1.0)
73 -
74 -I made a mistake in d4a5dac9f9242c580fb9d0a4389440eccd3494a7 and
75 -inverted the GF2m and GFp calls in ec_point_get_affine_coordinates, this
76 -fixes it.
77 ----
78 - crypto/ec/ec_curve.c | 4 ++--
79 - 1 file changed, 2 insertions(+), 2 deletions(-)
80 -
81 -diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c
82 -index 2d28d7f70bb..6a58b3a23e0 100644
83 ---- a/crypto/ec/ec_curve.c
84 -+++ b/crypto/ec/ec_curve.c
85 -@@ -3200,11 +3200,11 @@ int ec_point_get_affine_coordinates(const EC_GROUP *group,
86 -
87 - #ifndef OPENSSL_NO_EC2M
88 - if (field_nid == NID_X9_62_characteristic_two_field) {
89 -- return EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx);
90 -+ return EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx);
91 - } else
92 - #endif /* !def(OPENSSL_NO_EC2M) */
93 - if (field_nid == NID_X9_62_prime_field) {
94 -- return EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx);
95 -+ return EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx);
96 - } else {
97 - /* this should never happen */
98 - return 0;
99
100 diff --git a/dev-libs/openssl/openssl-1.1.0l.ebuild b/dev-libs/openssl/openssl-1.1.0l.ebuild
101 deleted file mode 100644
102 index 7e8ec91525c..00000000000
103 --- a/dev-libs/openssl/openssl-1.1.0l.ebuild
104 +++ /dev/null
105 @@ -1,306 +0,0 @@
106 -# Copyright 1999-2020 Gentoo Authors
107 -# Distributed under the terms of the GNU General Public License v2
108 -
109 -EAPI="7"
110 -
111 -inherit flag-o-matic toolchain-funcs multilib multilib-minimal
112 -
113 -MY_P=${P/_/-}
114 -
115 -# This patch set is based on the following files from Fedora 28,
116 -# see https://src.fedoraproject.org/rpms/openssl/blob/f28/f/openssl.spec
117 -# for more details:
118 -# - hobble-openssl (SOURCE1)
119 -# - ec_curve.c (SOURCE12) -- MODIFIED
120 -# - ectest.c (SOURCE13)
121 -# - openssl-1.1.0-ec-curves.patch (PATCH37) -- MODIFIED
122 -BINDIST_PATCH_SET="openssl-1.1.0l-bindist-1.0.tar.xz"
123 -
124 -DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
125 -HOMEPAGE="https://www.openssl.org/"
126 -SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
127 - bindist? (
128 - mirror://gentoo/${BINDIST_PATCH_SET}
129 - https://dev.gentoo.org/~whissi/dist/openssl/${BINDIST_PATCH_SET}
130 - )"
131 -
132 -LICENSE="openssl"
133 -SLOT="0/1.1" # .so version of libssl/libcrypto
134 -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux"
135 -IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib"
136 -RESTRICT="!bindist? ( bindist )
137 - !test? ( test )"
138 -
139 -RDEPEND=">=app-misc/c_rehash-1.7-r1
140 - zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
141 -DEPEND="${RDEPEND}"
142 -BDEPEND="
143 - >=dev-lang/perl-5
144 - sctp? ( >=net-misc/lksctp-tools-1.0.12 )
145 - test? (
146 - sys-apps/diffutils
147 - sys-devel/bc
148 - )"
149 -PDEPEND="app-misc/ca-certificates"
150 -
151 -PATCHES=(
152 - "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
153 - "${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
154 - "${FILESDIR}"/${PN}-1.1.0k-fix-test_fuzz.patch
155 -)
156 -
157 -S="${WORKDIR}/${MY_P}"
158 -
159 -MULTILIB_WRAPPED_HEADERS=(
160 - usr/include/openssl/opensslconf.h
161 -)
162 -
163 -src_prepare() {
164 - if use bindist; then
165 - mv "${WORKDIR}"/bindist-patches/hobble-openssl "${WORKDIR}" || die
166 - bash "${WORKDIR}"/hobble-openssl || die
167 -
168 - cp -f "${WORKDIR}"/bindist-patches/ec_curve.c "${S}"/crypto/ec/ || die
169 - cp -f "${WORKDIR}"/bindist-patches/ectest.c "${S}"/test/ || die
170 -
171 - eapply "${WORKDIR}"/bindist-patches/ec-curves.patch
172 -
173 - local known_failing_test
174 - for known_failing_test in \
175 - 30-test_evp_extra.t \
176 - 80-test_ssl_new.t \
177 - ; do
178 - ebegin "Disabling test '${known_failing_test}' which is known to fail with USE=bindist"
179 - rm test/recipes/${known_failing_test} || die
180 - eend $?
181 - done
182 -
183 - # Also see the configure parts below:
184 - # enable-ec \
185 - # $(use_ssl !bindist ec2m) \
186 - fi
187 -
188 - # keep this in sync with app-misc/c_rehash
189 - SSL_CNF_DIR="/etc/ssl"
190 -
191 - # Make sure we only ever touch Makefile.org and avoid patching a file
192 - # that gets blown away anyways by the Configure script in src_configure
193 - rm -f Makefile
194 -
195 - if ! use vanilla ; then
196 - if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
197 - [[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
198 - fi
199 -
200 - use bindist || eapply "${FILESDIR}"/${PN}-1.1.0l-fix-no-ec2m-in-ec_curve.c.patch
201 - fi
202 -
203 - eapply_user #332661
204 -
205 - # make sure the man pages are suffixed #302165
206 - # don't bother building man pages if they're disabled
207 - # Make DOCDIR Gentoo compliant
208 - sed -i \
209 - -e '/^MANSUFFIX/s:=.*:=ssl:' \
210 - -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
211 - -e $(has noman FEATURES \
212 - && echo '/^install:/s:install_docs::' \
213 - || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
214 - -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
215 - Configurations/unix-Makefile.tmpl \
216 - || die
217 -
218 - # show the actual commands in the log
219 - sed -i '/^SET_X/s@=.*@=set -x@' Makefile.shared || die
220 -
221 - # quiet out unknown driver argument warnings since openssl
222 - # doesn't have well-split CFLAGS and we're making it even worse
223 - # and 'make depend' uses -Werror for added fun (#417795 again)
224 - [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
225 -
226 - # allow openssl to be cross-compiled
227 - cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
228 - chmod a+rx gentoo.config || die
229 -
230 - append-flags -fno-strict-aliasing
231 - append-flags $(test-flags-CC -Wa,--noexecstack)
232 - append-cppflags -DOPENSSL_NO_BUF_FREELISTS
233 -
234 - # Prefixify Configure shebang (#141906)
235 - sed \
236 - -e "1s,/usr/bin/env,${EPREFIX}&," \
237 - -i Configure || die
238 - # Remove test target when FEATURES=test isn't set
239 - if ! use test ; then
240 - sed \
241 - -e '/^$config{dirs}/s@ "test",@@' \
242 - -i Configure || die
243 - fi
244 - # The config script does stupid stuff to prompt the user. Kill it.
245 - sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
246 - ./config --test-sanity || die "I AM NOT SANE"
247 -
248 - multilib_copy_sources
249 -}
250 -
251 -multilib_src_configure() {
252 - unset APPS #197996
253 - unset SCRIPTS #312551
254 - unset CROSS_COMPILE #311473
255 -
256 - tc-export CC AR RANLIB RC
257 -
258 - # Clean out patent-or-otherwise-encumbered code
259 - # Camellia: Royalty Free https://en.wikipedia.org/wiki/Camellia_(cipher)
260 - # IDEA: Expired https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
261 - # EC: ????????? ??/??/2015 https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
262 - # MDC2: Expired https://en.wikipedia.org/wiki/MDC-2
263 - # RC5: Expired https://en.wikipedia.org/wiki/RC5
264 -
265 - use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
266 - echoit() { echo "$@" ; "$@" ; }
267 -
268 - local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
269 -
270 - # See if our toolchain supports __uint128_t. If so, it's 64bit
271 - # friendly and can use the nicely optimized code paths. #460790
272 - local ec_nistp_64_gcc_128
273 - # Disable it for now though #469976
274 - #if ! use bindist ; then
275 - # echo "__uint128_t i;" > "${T}"/128.c
276 - # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
277 - # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
278 - # fi
279 - #fi
280 -
281 - local sslout=$(./gentoo.config)
282 - einfo "Use configuration ${sslout:-(openssl knows best)}"
283 - local config="Configure"
284 - [[ -z ${sslout} ]] && config="config"
285 -
286 - # Fedora hobbled-EC needs 'no-ec2m'
287 - # 'srp' was restricted until early 2017 as well.
288 - # "disable-deprecated" option breaks too many consumers.
289 - # Don't set it without thorough revdeps testing.
290 - # Make sure user flags don't get added *yet* to avoid duplicated
291 - # flags.
292 - CFLAGS= LDFLAGS= echoit \
293 - ./${config} \
294 - ${sslout} \
295 - $(use cpu_flags_x86_sse2 || echo "no-sse2") \
296 - enable-camellia \
297 - enable-ec \
298 - $(use_ssl !bindist ec2m) \
299 - enable-srp \
300 - $(use elibc_musl && echo "no-async") \
301 - ${ec_nistp_64_gcc_128} \
302 - enable-idea \
303 - enable-mdc2 \
304 - enable-rc5 \
305 - $(use_ssl sslv3 ssl3) \
306 - $(use_ssl sslv3 ssl3-method) \
307 - $(use_ssl asm) \
308 - $(use_ssl rfc3779) \
309 - $(use_ssl sctp) \
310 - $(use_ssl tls-heartbeat heartbeats) \
311 - $(use_ssl zlib) \
312 - --prefix="${EPREFIX}"/usr \
313 - --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
314 - --libdir=$(get_libdir) \
315 - shared threads \
316 - || die
317 -
318 - # Clean out hardcoded flags that openssl uses
319 - local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
320 - -e 's:^CFLAGS=::' \
321 - -e 's:\(^\| \)-fomit-frame-pointer::g' \
322 - -e 's:\(^\| \)-O[^ ]*::g' \
323 - -e 's:\(^\| \)-march=[^ ]*::g' \
324 - -e 's:\(^\| \)-mcpu=[^ ]*::g' \
325 - -e 's:\(^\| \)-m[^ ]*::g' \
326 - -e 's:^ *::' \
327 - -e 's: *$::' \
328 - -e 's: \+: :g' \
329 - -e 's:\\:\\\\:g'
330 - )
331 -
332 - # Now insert clean default flags with user flags
333 - sed -i \
334 - -e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
335 - -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
336 - Makefile || die
337 -}
338 -
339 -multilib_src_compile() {
340 - # depend is needed to use $confopts; it also doesn't matter
341 - # that it's -j1 as the code itself serializes subdirs
342 - emake -j1 depend
343 - emake all
344 -}
345 -
346 -multilib_src_test() {
347 - emake -j1 test
348 -}
349 -
350 -multilib_src_install() {
351 - # We need to create $ED/usr on our own to avoid a race condition #665130
352 - if [[ ! -d "${ED}/usr" ]]; then
353 - # We can only create this directory once
354 - mkdir "${ED}"/usr || die
355 - fi
356 -
357 - emake DESTDIR="${D}" install
358 -}
359 -
360 -multilib_src_install_all() {
361 - # openssl installs perl version of c_rehash by default, but
362 - # we provide a shell version via app-misc/c_rehash
363 - rm "${ED}"/usr/bin/c_rehash || die
364 -
365 - dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
366 -
367 - # This is crappy in that the static archives are still built even
368 - # when USE=static-libs. But this is due to a failing in the openssl
369 - # build system: the static archives are built as PIC all the time.
370 - # Only way around this would be to manually configure+compile openssl
371 - # twice; once with shared lib support enabled and once without.
372 - use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
373 -
374 - # create the certs directory
375 - keepdir ${SSL_CNF_DIR}/certs
376 -
377 - # Namespace openssl programs to prevent conflicts with other man pages
378 - cd "${ED}"/usr/share/man || die
379 - local m d s
380 - for m in $(find . -type f | xargs grep -L '#include') ; do
381 - d=${m%/*} ; d=${d#./} ; m=${m##*/}
382 - [[ ${m} == openssl.1* ]] && continue
383 - [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
384 - mv ${d}/{,ssl-}${m}
385 - # fix up references to renamed man pages
386 - sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
387 - ln -s ssl-${m} ${d}/openssl-${m}
388 - # locate any symlinks that point to this man page ... we assume
389 - # that any broken links are due to the above renaming
390 - for s in $(find -L ${d} -type l) ; do
391 - s=${s##*/}
392 - rm -f ${d}/${s}
393 - # We don't want to "|| die" here
394 - ln -s ssl-${m} ${d}/ssl-${s}
395 - ln -s ssl-${s} ${d}/openssl-${s}
396 - done
397 - done
398 - [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
399 -
400 - dodir /etc/sandbox.d #254521
401 - echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
402 -
403 - diropts -m0700
404 - keepdir ${SSL_CNF_DIR}/private
405 -}
406 -
407 -pkg_postinst() {
408 - ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
409 - c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
410 - eend $?
411 -}
412
413 diff --git a/dev-libs/openssl/openssl-1.1.1g.ebuild b/dev-libs/openssl/openssl-1.1.1g.ebuild
414 deleted file mode 100644
415 index 7a3f675be54..00000000000
416 --- a/dev-libs/openssl/openssl-1.1.1g.ebuild
417 +++ /dev/null
418 @@ -1,324 +0,0 @@
419 -# Copyright 1999-2020 Gentoo Authors
420 -# Distributed under the terms of the GNU General Public License v2
421 -
422 -EAPI="7"
423 -
424 -inherit flag-o-matic toolchain-funcs multilib multilib-minimal
425 -
426 -MY_P=${P/_/-}
427 -
428 -# This patch set is based on the following files from Fedora 31,
429 -# see https://src.fedoraproject.org/rpms/openssl/blob/f31/f/openssl.spec
430 -# for more details:
431 -# - hobble-openssl (SOURCE1)
432 -# - ec_curve.c (SOURCE12) -- MODIFIED
433 -# - ectest.c (SOURCE13)
434 -# - openssl-1.1.1-ec-curves.patch (PATCH37) -- MODIFIED
435 -BINDIST_PATCH_SET="openssl-1.1.1e-bindist-1.0.tar.xz"
436 -
437 -DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
438 -HOMEPAGE="https://www.openssl.org/"
439 -SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
440 - bindist? (
441 - mirror://gentoo/${BINDIST_PATCH_SET}
442 - https://dev.gentoo.org/~whissi/dist/openssl/${BINDIST_PATCH_SET}
443 - )"
444 -
445 -LICENSE="openssl"
446 -SLOT="0/1.1" # .so version of libssl/libcrypto
447 -[[ "${PV}" = *_pre* ]] || \
448 -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~x86-linux"
449 -IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib"
450 -RESTRICT="!bindist? ( bindist )
451 - !test? ( test )"
452 -
453 -RDEPEND=">=app-misc/c_rehash-1.7-r1
454 - zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
455 -DEPEND="${RDEPEND}"
456 -BDEPEND="
457 - >=dev-lang/perl-5
458 - sctp? ( >=net-misc/lksctp-tools-1.0.12 )
459 - test? (
460 - sys-apps/diffutils
461 - sys-devel/bc
462 - sys-process/procps
463 - )"
464 -PDEPEND="app-misc/ca-certificates"
465 -
466 -PATCHES=(
467 - "${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
468 -)
469 -
470 -S="${WORKDIR}/${MY_P}"
471 -
472 -# force upgrade to prevent broken login, bug 696950
473 -RDEPEND+=" !<net-misc/openssh-8.0_p1-r3"
474 -
475 -MULTILIB_WRAPPED_HEADERS=(
476 - usr/include/openssl/opensslconf.h
477 -)
478 -
479 -pkg_setup() {
480 - [[ ${MERGE_TYPE} == binary ]] && return
481 -
482 - # must check in pkg_setup; sysctl don't work with userpriv!
483 - if has test ${FEATURES} && use sctp; then
484 - # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
485 - # if sctp.auth_enable is not enabled.
486 - local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
487 - if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]]; then
488 - die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
489 - fi
490 - fi
491 -}
492 -
493 -src_prepare() {
494 - # allow openssl to be cross-compiled
495 - cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
496 - chmod a+rx gentoo.config || die
497 -
498 - if use bindist; then
499 - mv "${WORKDIR}"/bindist-patches/hobble-openssl "${WORKDIR}" || die
500 - bash "${WORKDIR}"/hobble-openssl || die
501 -
502 - cp -f "${WORKDIR}"/bindist-patches/ec_curve.c "${S}"/crypto/ec/ || die
503 - cp -f "${WORKDIR}"/bindist-patches/ectest.c "${S}"/test/ || die
504 -
505 - eapply "${WORKDIR}"/bindist-patches/ec-curves.patch
506 -
507 - local known_failing_test
508 - for known_failing_test in \
509 - 30-test_evp_extra.t \
510 - 80-test_ssl_new.t \
511 - ; do
512 - ebegin "Disabling test '${known_failing_test}' which is known to fail with USE=bindist"
513 - rm test/recipes/${known_failing_test} || die
514 - eend $?
515 - done
516 -
517 - # Also see the configure parts below:
518 - # enable-ec \
519 - # $(use_ssl !bindist ec2m) \
520 - fi
521 -
522 - # keep this in sync with app-misc/c_rehash
523 - SSL_CNF_DIR="/etc/ssl"
524 -
525 - # Make sure we only ever touch Makefile.org and avoid patching a file
526 - # that gets blown away anyways by the Configure script in src_configure
527 - rm -f Makefile
528 -
529 - if ! use vanilla ; then
530 - if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
531 - [[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
532 - fi
533 - fi
534 -
535 - eapply_user #332661
536 -
537 - if has test ${FEATURES} && use sctp && has network-sandbox ${FEATURES}; then
538 - ebegin "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox"
539 - rm test/recipes/80-test_ssl_new.t || die
540 - eend $?
541 - fi
542 -
543 - # make sure the man pages are suffixed #302165
544 - # don't bother building man pages if they're disabled
545 - # Make DOCDIR Gentoo compliant
546 - sed -i \
547 - -e '/^MANSUFFIX/s:=.*:=ssl:' \
548 - -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
549 - -e $(has noman FEATURES \
550 - && echo '/^install:/s:install_docs::' \
551 - || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
552 - -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
553 - Configurations/unix-Makefile.tmpl \
554 - || die
555 -
556 - # quiet out unknown driver argument warnings since openssl
557 - # doesn't have well-split CFLAGS and we're making it even worse
558 - # and 'make depend' uses -Werror for added fun (#417795 again)
559 - [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
560 -
561 - append-flags -fno-strict-aliasing
562 - append-flags $(test-flags-CC -Wa,--noexecstack)
563 - append-cppflags -DOPENSSL_NO_BUF_FREELISTS
564 -
565 - # Prefixify Configure shebang (#141906)
566 - sed \
567 - -e "1s,/usr/bin/env,${EPREFIX}&," \
568 - -i Configure || die
569 - # Remove test target when FEATURES=test isn't set
570 - if ! use test ; then
571 - sed \
572 - -e '/^$config{dirs}/s@ "test",@@' \
573 - -i Configure || die
574 - fi
575 - # The config script does stupid stuff to prompt the user. Kill it.
576 - sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
577 - ./config --test-sanity || die "I AM NOT SANE"
578 -
579 - multilib_copy_sources
580 -}
581 -
582 -multilib_src_configure() {
583 - unset APPS #197996
584 - unset SCRIPTS #312551
585 - unset CROSS_COMPILE #311473
586 -
587 - tc-export CC AR RANLIB RC
588 -
589 - # Clean out patent-or-otherwise-encumbered code
590 - # Camellia: Royalty Free https://en.wikipedia.org/wiki/Camellia_(cipher)
591 - # IDEA: Expired https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
592 - # EC: ????????? ??/??/2015 https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
593 - # MDC2: Expired https://en.wikipedia.org/wiki/MDC-2
594 - # RC5: Expired https://en.wikipedia.org/wiki/RC5
595 -
596 - use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
597 - echoit() { echo "$@" ; "$@" ; }
598 -
599 - local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
600 -
601 - # See if our toolchain supports __uint128_t. If so, it's 64bit
602 - # friendly and can use the nicely optimized code paths. #460790
603 - local ec_nistp_64_gcc_128
604 - # Disable it for now though #469976
605 - #if ! use bindist ; then
606 - # echo "__uint128_t i;" > "${T}"/128.c
607 - # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
608 - # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
609 - # fi
610 - #fi
611 -
612 - local sslout=$(./gentoo.config)
613 - einfo "Use configuration ${sslout:-(openssl knows best)}"
614 - local config="Configure"
615 - [[ -z ${sslout} ]] && config="config"
616 -
617 - # Fedora hobbled-EC needs 'no-ec2m'
618 - # 'srp' was restricted until early 2017 as well.
619 - # "disable-deprecated" option breaks too many consumers.
620 - # Don't set it without thorough revdeps testing.
621 - # Make sure user flags don't get added *yet* to avoid duplicated
622 - # flags.
623 - CFLAGS= LDFLAGS= echoit \
624 - ./${config} \
625 - ${sslout} \
626 - $(use cpu_flags_x86_sse2 || echo "no-sse2") \
627 - enable-camellia \
628 - enable-ec \
629 - $(use_ssl !bindist ec2m) \
630 - enable-srp \
631 - $(use elibc_musl && echo "no-async") \
632 - ${ec_nistp_64_gcc_128} \
633 - enable-idea \
634 - enable-mdc2 \
635 - enable-rc5 \
636 - $(use_ssl sslv3 ssl3) \
637 - $(use_ssl sslv3 ssl3-method) \
638 - $(use_ssl asm) \
639 - $(use_ssl rfc3779) \
640 - $(use_ssl sctp) \
641 - $(use_ssl tls-heartbeat heartbeats) \
642 - $(use_ssl zlib) \
643 - --prefix="${EPREFIX}"/usr \
644 - --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
645 - --libdir=$(get_libdir) \
646 - shared threads \
647 - || die
648 -
649 - # Clean out hardcoded flags that openssl uses
650 - local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
651 - -e 's:^CFLAGS=::' \
652 - -e 's:\(^\| \)-fomit-frame-pointer::g' \
653 - -e 's:\(^\| \)-O[^ ]*::g' \
654 - -e 's:\(^\| \)-march=[^ ]*::g' \
655 - -e 's:\(^\| \)-mcpu=[^ ]*::g' \
656 - -e 's:\(^\| \)-m[^ ]*::g' \
657 - -e 's:^ *::' \
658 - -e 's: *$::' \
659 - -e 's: \+: :g' \
660 - -e 's:\\:\\\\:g'
661 - )
662 -
663 - # Now insert clean default flags with user flags
664 - sed -i \
665 - -e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
666 - -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
667 - Makefile || die
668 -}
669 -
670 -multilib_src_compile() {
671 - # depend is needed to use $confopts; it also doesn't matter
672 - # that it's -j1 as the code itself serializes subdirs
673 - emake -j1 depend
674 - emake all
675 -}
676 -
677 -multilib_src_test() {
678 - emake -j1 test
679 -}
680 -
681 -multilib_src_install() {
682 - # We need to create $ED/usr on our own to avoid a race condition #665130
683 - if [[ ! -d "${ED}/usr" ]]; then
684 - # We can only create this directory once
685 - mkdir "${ED}"/usr || die
686 - fi
687 -
688 - emake DESTDIR="${D}" install
689 -}
690 -
691 -multilib_src_install_all() {
692 - # openssl installs perl version of c_rehash by default, but
693 - # we provide a shell version via app-misc/c_rehash
694 - rm "${ED}"/usr/bin/c_rehash || die
695 -
696 - dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
697 -
698 - # This is crappy in that the static archives are still built even
699 - # when USE=static-libs. But this is due to a failing in the openssl
700 - # build system: the static archives are built as PIC all the time.
701 - # Only way around this would be to manually configure+compile openssl
702 - # twice; once with shared lib support enabled and once without.
703 - use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
704 -
705 - # create the certs directory
706 - keepdir ${SSL_CNF_DIR}/certs
707 -
708 - # Namespace openssl programs to prevent conflicts with other man pages
709 - cd "${ED}"/usr/share/man || die
710 - local m d s
711 - for m in $(find . -type f | xargs grep -L '#include') ; do
712 - d=${m%/*} ; d=${d#./} ; m=${m##*/}
713 - [[ ${m} == openssl.1* ]] && continue
714 - [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
715 - mv ${d}/{,ssl-}${m}
716 - # fix up references to renamed man pages
717 - sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
718 - ln -s ssl-${m} ${d}/openssl-${m}
719 - # locate any symlinks that point to this man page ... we assume
720 - # that any broken links are due to the above renaming
721 - for s in $(find -L ${d} -type l) ; do
722 - s=${s##*/}
723 - rm -f ${d}/${s}
724 - # We don't want to "|| die" here
725 - ln -s ssl-${m} ${d}/ssl-${s}
726 - ln -s ssl-${s} ${d}/openssl-${s}
727 - done
728 - done
729 - [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
730 -
731 - dodir /etc/sandbox.d #254521
732 - echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
733 -
734 - diropts -m0700
735 - keepdir ${SSL_CNF_DIR}/private
736 -}
737 -
738 -pkg_postinst() {
739 - ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
740 - c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
741 - eend $?
742 -}
743
744 diff --git a/dev-libs/openssl/openssl-1.1.1h.ebuild b/dev-libs/openssl/openssl-1.1.1h.ebuild
745 deleted file mode 100644
746 index ccc0cbc5d58..00000000000
747 --- a/dev-libs/openssl/openssl-1.1.1h.ebuild
748 +++ /dev/null
749 @@ -1,324 +0,0 @@
750 -# Copyright 1999-2020 Gentoo Authors
751 -# Distributed under the terms of the GNU General Public License v2
752 -
753 -EAPI="7"
754 -
755 -inherit flag-o-matic toolchain-funcs multilib multilib-minimal
756 -
757 -MY_P=${P/_/-}
758 -
759 -# This patch set is based on the following files from Fedora 31,
760 -# see https://src.fedoraproject.org/rpms/openssl/blob/f31/f/openssl.spec
761 -# for more details:
762 -# - hobble-openssl (SOURCE1)
763 -# - ec_curve.c (SOURCE12) -- MODIFIED
764 -# - ectest.c (SOURCE13)
765 -# - openssl-1.1.1-ec-curves.patch (PATCH37) -- MODIFIED
766 -BINDIST_PATCH_SET="openssl-1.1.1e-bindist-1.0.tar.xz"
767 -
768 -DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
769 -HOMEPAGE="https://www.openssl.org/"
770 -SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
771 - bindist? (
772 - mirror://gentoo/${BINDIST_PATCH_SET}
773 - https://dev.gentoo.org/~whissi/dist/openssl/${BINDIST_PATCH_SET}
774 - )"
775 -
776 -LICENSE="openssl"
777 -SLOT="0/1.1" # .so version of libssl/libcrypto
778 -[[ "${PV}" = *_pre* ]] || \
779 -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux"
780 -IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib"
781 -RESTRICT="!bindist? ( bindist )
782 - !test? ( test )"
783 -
784 -RDEPEND=">=app-misc/c_rehash-1.7-r1
785 - zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
786 -DEPEND="${RDEPEND}"
787 -BDEPEND="
788 - >=dev-lang/perl-5
789 - sctp? ( >=net-misc/lksctp-tools-1.0.12 )
790 - test? (
791 - sys-apps/diffutils
792 - sys-devel/bc
793 - sys-process/procps
794 - )"
795 -PDEPEND="app-misc/ca-certificates"
796 -
797 -PATCHES=(
798 - "${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
799 -)
800 -
801 -S="${WORKDIR}/${MY_P}"
802 -
803 -# force upgrade to prevent broken login, bug 696950
804 -RDEPEND+=" !<net-misc/openssh-8.0_p1-r3"
805 -
806 -MULTILIB_WRAPPED_HEADERS=(
807 - usr/include/openssl/opensslconf.h
808 -)
809 -
810 -pkg_setup() {
811 - [[ ${MERGE_TYPE} == binary ]] && return
812 -
813 - # must check in pkg_setup; sysctl don't work with userpriv!
814 - if has test ${FEATURES} && use sctp; then
815 - # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
816 - # if sctp.auth_enable is not enabled.
817 - local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
818 - if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]]; then
819 - die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
820 - fi
821 - fi
822 -}
823 -
824 -src_prepare() {
825 - # allow openssl to be cross-compiled
826 - cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
827 - chmod a+rx gentoo.config || die
828 -
829 - if use bindist; then
830 - mv "${WORKDIR}"/bindist-patches/hobble-openssl "${WORKDIR}" || die
831 - bash "${WORKDIR}"/hobble-openssl || die
832 -
833 - cp -f "${WORKDIR}"/bindist-patches/ec_curve.c "${S}"/crypto/ec/ || die
834 - cp -f "${WORKDIR}"/bindist-patches/ectest.c "${S}"/test/ || die
835 -
836 - eapply "${WORKDIR}"/bindist-patches/ec-curves.patch
837 -
838 - local known_failing_test
839 - for known_failing_test in \
840 - 30-test_evp_extra.t \
841 - 80-test_ssl_new.t \
842 - ; do
843 - ebegin "Disabling test '${known_failing_test}' which is known to fail with USE=bindist"
844 - rm test/recipes/${known_failing_test} || die
845 - eend $?
846 - done
847 -
848 - # Also see the configure parts below:
849 - # enable-ec \
850 - # $(use_ssl !bindist ec2m) \
851 - fi
852 -
853 - # keep this in sync with app-misc/c_rehash
854 - SSL_CNF_DIR="/etc/ssl"
855 -
856 - # Make sure we only ever touch Makefile.org and avoid patching a file
857 - # that gets blown away anyways by the Configure script in src_configure
858 - rm -f Makefile
859 -
860 - if ! use vanilla ; then
861 - if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
862 - [[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
863 - fi
864 - fi
865 -
866 - eapply_user #332661
867 -
868 - if has test ${FEATURES} && use sctp && has network-sandbox ${FEATURES}; then
869 - ebegin "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox"
870 - rm test/recipes/80-test_ssl_new.t || die
871 - eend $?
872 - fi
873 -
874 - # make sure the man pages are suffixed #302165
875 - # don't bother building man pages if they're disabled
876 - # Make DOCDIR Gentoo compliant
877 - sed -i \
878 - -e '/^MANSUFFIX/s:=.*:=ssl:' \
879 - -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
880 - -e $(has noman FEATURES \
881 - && echo '/^install:/s:install_docs::' \
882 - || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
883 - -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
884 - Configurations/unix-Makefile.tmpl \
885 - || die
886 -
887 - # quiet out unknown driver argument warnings since openssl
888 - # doesn't have well-split CFLAGS and we're making it even worse
889 - # and 'make depend' uses -Werror for added fun (#417795 again)
890 - [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
891 -
892 - append-flags -fno-strict-aliasing
893 - append-flags $(test-flags-CC -Wa,--noexecstack)
894 - append-cppflags -DOPENSSL_NO_BUF_FREELISTS
895 -
896 - # Prefixify Configure shebang (#141906)
897 - sed \
898 - -e "1s,/usr/bin/env,${EPREFIX}&," \
899 - -i Configure || die
900 - # Remove test target when FEATURES=test isn't set
901 - if ! use test ; then
902 - sed \
903 - -e '/^$config{dirs}/s@ "test",@@' \
904 - -i Configure || die
905 - fi
906 - # The config script does stupid stuff to prompt the user. Kill it.
907 - sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
908 - ./config --test-sanity || die "I AM NOT SANE"
909 -
910 - multilib_copy_sources
911 -}
912 -
913 -multilib_src_configure() {
914 - unset APPS #197996
915 - unset SCRIPTS #312551
916 - unset CROSS_COMPILE #311473
917 -
918 - tc-export CC AR RANLIB RC
919 -
920 - # Clean out patent-or-otherwise-encumbered code
921 - # Camellia: Royalty Free https://en.wikipedia.org/wiki/Camellia_(cipher)
922 - # IDEA: Expired https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
923 - # EC: ????????? ??/??/2015 https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
924 - # MDC2: Expired https://en.wikipedia.org/wiki/MDC-2
925 - # RC5: Expired https://en.wikipedia.org/wiki/RC5
926 -
927 - use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
928 - echoit() { echo "$@" ; "$@" ; }
929 -
930 - local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
931 -
932 - # See if our toolchain supports __uint128_t. If so, it's 64bit
933 - # friendly and can use the nicely optimized code paths. #460790
934 - local ec_nistp_64_gcc_128
935 - # Disable it for now though #469976
936 - #if ! use bindist ; then
937 - # echo "__uint128_t i;" > "${T}"/128.c
938 - # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
939 - # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
940 - # fi
941 - #fi
942 -
943 - local sslout=$(./gentoo.config)
944 - einfo "Use configuration ${sslout:-(openssl knows best)}"
945 - local config="Configure"
946 - [[ -z ${sslout} ]] && config="config"
947 -
948 - # Fedora hobbled-EC needs 'no-ec2m'
949 - # 'srp' was restricted until early 2017 as well.
950 - # "disable-deprecated" option breaks too many consumers.
951 - # Don't set it without thorough revdeps testing.
952 - # Make sure user flags don't get added *yet* to avoid duplicated
953 - # flags.
954 - CFLAGS= LDFLAGS= echoit \
955 - ./${config} \
956 - ${sslout} \
957 - $(use cpu_flags_x86_sse2 || echo "no-sse2") \
958 - enable-camellia \
959 - enable-ec \
960 - $(use_ssl !bindist ec2m) \
961 - enable-srp \
962 - $(use elibc_musl && echo "no-async") \
963 - ${ec_nistp_64_gcc_128} \
964 - enable-idea \
965 - enable-mdc2 \
966 - enable-rc5 \
967 - $(use_ssl sslv3 ssl3) \
968 - $(use_ssl sslv3 ssl3-method) \
969 - $(use_ssl asm) \
970 - $(use_ssl rfc3779) \
971 - $(use_ssl sctp) \
972 - $(use_ssl tls-heartbeat heartbeats) \
973 - $(use_ssl zlib) \
974 - --prefix="${EPREFIX}"/usr \
975 - --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
976 - --libdir=$(get_libdir) \
977 - shared threads \
978 - || die
979 -
980 - # Clean out hardcoded flags that openssl uses
981 - local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
982 - -e 's:^CFLAGS=::' \
983 - -e 's:\(^\| \)-fomit-frame-pointer::g' \
984 - -e 's:\(^\| \)-O[^ ]*::g' \
985 - -e 's:\(^\| \)-march=[^ ]*::g' \
986 - -e 's:\(^\| \)-mcpu=[^ ]*::g' \
987 - -e 's:\(^\| \)-m[^ ]*::g' \
988 - -e 's:^ *::' \
989 - -e 's: *$::' \
990 - -e 's: \+: :g' \
991 - -e 's:\\:\\\\:g'
992 - )
993 -
994 - # Now insert clean default flags with user flags
995 - sed -i \
996 - -e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
997 - -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
998 - Makefile || die
999 -}
1000 -
1001 -multilib_src_compile() {
1002 - # depend is needed to use $confopts; it also doesn't matter
1003 - # that it's -j1 as the code itself serializes subdirs
1004 - emake -j1 depend
1005 - emake all
1006 -}
1007 -
1008 -multilib_src_test() {
1009 - emake -j1 test
1010 -}
1011 -
1012 -multilib_src_install() {
1013 - # We need to create $ED/usr on our own to avoid a race condition #665130
1014 - if [[ ! -d "${ED}/usr" ]]; then
1015 - # We can only create this directory once
1016 - mkdir "${ED}"/usr || die
1017 - fi
1018 -
1019 - emake DESTDIR="${D}" install
1020 -}
1021 -
1022 -multilib_src_install_all() {
1023 - # openssl installs perl version of c_rehash by default, but
1024 - # we provide a shell version via app-misc/c_rehash
1025 - rm "${ED}"/usr/bin/c_rehash || die
1026 -
1027 - dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
1028 -
1029 - # This is crappy in that the static archives are still built even
1030 - # when USE=static-libs. But this is due to a failing in the openssl
1031 - # build system: the static archives are built as PIC all the time.
1032 - # Only way around this would be to manually configure+compile openssl
1033 - # twice; once with shared lib support enabled and once without.
1034 - use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
1035 -
1036 - # create the certs directory
1037 - keepdir ${SSL_CNF_DIR}/certs
1038 -
1039 - # Namespace openssl programs to prevent conflicts with other man pages
1040 - cd "${ED}"/usr/share/man || die
1041 - local m d s
1042 - for m in $(find . -type f | xargs grep -L '#include') ; do
1043 - d=${m%/*} ; d=${d#./} ; m=${m##*/}
1044 - [[ ${m} == openssl.1* ]] && continue
1045 - [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
1046 - mv ${d}/{,ssl-}${m}
1047 - # fix up references to renamed man pages
1048 - sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
1049 - ln -s ssl-${m} ${d}/openssl-${m}
1050 - # locate any symlinks that point to this man page ... we assume
1051 - # that any broken links are due to the above renaming
1052 - for s in $(find -L ${d} -type l) ; do
1053 - s=${s##*/}
1054 - rm -f ${d}/${s}
1055 - # We don't want to "|| die" here
1056 - ln -s ssl-${m} ${d}/ssl-${s}
1057 - ln -s ssl-${s} ${d}/openssl-${s}
1058 - done
1059 - done
1060 - [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
1061 -
1062 - dodir /etc/sandbox.d #254521
1063 - echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
1064 -
1065 - diropts -m0700
1066 - keepdir ${SSL_CNF_DIR}/private
1067 -}
1068 -
1069 -pkg_postinst() {
1070 - ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
1071 - c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
1072 - eend $?
1073 -}
Report Message
Find on MARC Find on Google Groups